Dynamic Network Segmentation using Identity

By Mike Miracle, SVP Marketing and Strategy

Network segmentation is a best practice for security and compliance that is increasingly impractical to implement and maintain in large corporate environments. Today’s dynamic environments have exposed the underlying weakness in network segmentation approaches that rely on network topology and addresses. While creating network security zones with access control lists and firewall rules can be done, the cost, complexity and administrative overhead of maintaining these address-based approaches has become prohibitive and they are still not secure.

This has led to the so-called flat network syndrome, where everyone inside a network can access everything. In a flat network, there are no security boundaries between development, production, and even your finance systems, for employees or third party contractors. While this may make business execution easier for employees and their vendors, it is a nightmare for your security and compliance teams. Once an attacker gets inside the network or someone’s credentials are compromised, there are minimal defenses to stop unauthorized access to data or to stop breaches from spreading across internal systems or even a partner’s network and systems.

Using Identity for Network Segmentation

A new approach to segmentation is to apply identity-based access controls at the network transport layer to dynamically segment networks by blocking or allowing network connections. Today identity is widely used at the application layer for access controls, but it is not available at the network layer. If identity were available and used to authenticate access to network resources, dynamic network segmentation could be easily accomplished with a least privilege access model.

Existing identity management system constructs such as groups and departments can be used for access control to network resources. Network security policy is then based on identity and separated from the network design (addresses and topologies). Network segmentation is then more intuitive and responsive, with security policies that are dynamic, automated, and maintainable since they are derived from your existing identity management system. This reduces the complexity, management overhead, and inflexibility associated with current network access and segmentation techniques.

Further, identity-based network segmentation offers a practical way to describe and monitor access policies, handle exceptions, and provide proof to auditors and regulators of your controls including who is doing what. Full transparency is provided by simply monitoring access exceptions at the network layer, and providing attribution information to your policy and procedures teams for reporting and remediation. Contrast the simplicity of that to attempting to prove that your ACLs and firewall policies are configured correctly to separate traffic between security zones, and that no unauthorized access has taken place.

Identity-based Network Segmentation

BlackRidge Transport Access Control applies identity-based security policies to the first packet of a TCP/IP connection, controlling the visibility of and access to network resources at the earliest possible time. BlackRidge integrates with your existing identity infrastructure to dynamically learn identities and automate network security policies, without user or administrator action. Network policy actions including traffic blocking, redirecting or forwarding are logged along with identity attribution information.

A network security model that is independent of network topology and protocols is a far more logical, consistent, and simple approach to segmenting your network. Please contact us to learn more about how BlackRidge can segment and isolate networks to limit risk and meet compliance, identify and contain access for insider and 3rd party threats, and provide attribution of unauthorized and rogue actions.